K-Chess Data Breach Exposes 83,000 User Records From Online Chess Platform

An alleged data breach involving K-Chess, an online chess platform operated by Keysquare and associated with the Kasparov Chess ecosystem, has resulted in the exposure of approximately 83,000 user records. The dataset was shared publicly for the first time in January 2026, according to claims made by the threat actor responsible for the disclosure.

The actor alleges that the data was originally scraped from the platform’s database in 2024, raising questions about how long the information may have been circulating privately before its public release. K-Chess is widely used by players to compete, train, and consume chess-related content, making the incident notable despite the absence of direct financial data.

What Is Known About the Breach

The leaked dataset reportedly contains around 83,000 rows of user information. Sample records shared alongside the disclosure indicate that the platform’s infrastructure is linked to keysquare.io, with avatar URLs and other metadata referencing Keysquare-hosted resources.

The threat actor stated that this is the first time the database has been made publicly available. There has been no independent confirmation regarding the method used to obtain the data, though scraping rather than direct system compromise has been cited.

Types of Information Exposed

The leaked data includes a broad range of personal and account-related details. User identity fields such as full names, usernames, and email addresses are present across the dataset, creating immediate risk for phishing and account takeover attempts.

In addition, the records reportedly include linked social account identifiers tied to Google, Facebook, and Apple logins. While these IDs do not necessarily grant direct access, they can be valuable for social engineering and account correlation.

Personal Profiles and Platform Metadata

Beyond basic identity data, the dataset contains personal profile information such as birthdates, country of residence, and time zone settings. These details, when combined with email addresses, can significantly increase the effectiveness of targeted scams.

Account-level metadata is also included, covering user tiers such as free accounts, skill levels, avatar URLs, and visibility settings. Timestamps showing account creation and last update activity are present, offering insight into user behavior patterns.

Chess Statistics and Competitive Data

One of the more unusual aspects of the leak is the depth of chess-related performance data. The exposed records include extensive rating information across multiple game modes, including Bullet, Blitz, Rapid, Classic, Daily, Chess960, and Puzzles.

These statistics reportedly include Glicko ratings and deviation values, offering a detailed snapshot of player performance and progression. While not sensitive in isolation, such data can still contribute to user profiling when combined with personal identifiers.

Potential Impact on Users

Although no payment card or password data has been mentioned, the exposure of emails, linked social IDs, and personal details places affected users at elevated risk of phishing and impersonation attempts. Gaming communities are increasingly targeted by attackers due to high engagement levels and account reuse across platforms.

Users associated with K-Chess may wish to remain vigilant for unsolicited communications, particularly messages referencing chess activity or account issues. Reused email addresses and social logins could amplify risk beyond the platform itself.

Broader Context for Online Platforms

The K-Chess incident highlights how non-financial platforms can still become meaningful targets for data harvesting. Even when breaches are the result of scraping rather than direct intrusion, the resulting datasets can carry long-term privacy and security implications.

As online platforms expand their feature sets and collect richer user data, the responsibility to protect that information grows accordingly. Incidents like this reinforce the need for stronger controls against large-scale data extraction and better visibility into how user data is accessed and shared.